[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Aug 9 12:44:20 EDT 2006


On Wed, 9 Aug 2006, Greg wrote:

no connection has been authorized" means the conn failed to load. check the error log
or recreate the error using: ipsec auto --replace roadwarrior-l2tp

I have never put an l2tp vpn server behind NAT myself.

Paul

> Date: Wed, 9 Aug 2006 17:23:34 +0200
> From: Greg <gregory.domagala at aliceadsl.fr>
> Cc: users at openswan.org
> To: 'Paul Wouters' <paul at xelerance.com>
> Subject: RE: [Openswan Users]
>
> Thank you still Paul,
>
> 	My Router: 	Public IP: 81.127.61.93
> 			Local IP : 192.168.0.5
>
> 	My VPN Gateway Local IP : 192.168.0.4
>
> 	I've tried this
>
> version 2.0
>
> config setup
>       interfaces=%defaultroute
>       nat_traversal=yes
>       virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:81.127.61.93/32
>       # Debug-logging controls :«none» for (almost) none,«all» for lots.
>       klipsdebug=none
>       plutodebug="none"
>
> conn %default
>         keyingtries=1
>         compress=yes
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>
> conn roadwarrior-l2tp
>         left=192.168.0.4
>         leftcert=cert.pem
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/1701
>         rightsubnet=vhost:%no,%priv
>         pfs=no
>         auto=add
>         type=transport
>
> conn block
>         auto=ignore
>
> conn private
>         auto=ignore
>
> conn private-or-clear
>         auto=ignore
>
> conn clear-or-private
>         auto=ignore
>
> conn clear
>         auto=ignore
>
> conn packetdefault
>         auto=ignore
>
>
>
> But it's the same log :(
> I will become insane :)
>
>
>
>
> > -----Message d'origine-----
> > De : Paul Wouters [mailto:paul at xelerance.com]
> > Envoyé : mercredi 9 août 2006 16:46
> > À : Greg
> > Cc : users at openswan.org
> > Objet : RE: [Openswan Users]
> >
> > On Wed, 9 Aug 2006, Greg wrote:
> >
> > > 	I've change the parameter with my public IP then my private IP, I've
> > > got the same log
> >
> > It needs to be the IP that is *on* the box, not the IP of the NAT gateway
> > in front of it. Also, if your openswan box is NAT'ed, you need to exclude
> > its local LAN range from virtual_private, and clients behind NAT on the
> > same range cannot connect.
> >
> > > I think that will use the hammer on me
> >
> > hammers were mostly for ipsec passthrough dvices :)
> >
> > It saves a lot of time (and money) to give a VPN server its own public IP
> > address. It's really worth an extra DSL line.
> >
> > Paul
> >
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug  9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug  9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug  9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug  9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug  9 07:47:11 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Delete SA payload: not encrypted
> > > Aug  9 07:47:11 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > and ignored informational message
> > >
> > > Thanks,
> > >
> > > GD
> > >
> > > > -----Message d'origine-----
> > > > De : Paul Wouters [mailto:paul at xelerance.com]
> > > > Envoyé : mardi 8 août 2006 23:59
> > > > À : Greg
> > > > Cc : users at openswan.org
> > > > Objet : RE: [Openswan Users]
> > > >
> > > > On Tue, 8 Aug 2006, Greg wrote:
> > > >
> > > > > conn roadwarrior-l2tp
> > > > >         left=%defaultroute
> > > > >         leftcert=/etc/ipsec.d/certs/cert.pem
> > > > >         leftprotoport=17/1701
> > > > >         right=%any
> > > >
> > > > You cannot use both %defaultroute and %any, because then openswan
> > > > cannot determine if it is left or right.
> > > > Since this is the server end, I assume that you know the IP for left=
> > > >
> > > > > Aug  8 23:17:01 darko pluto[4751]: packet from 90.95.19.131:500:
> > initial
> > > > > Main Mode message received on 192.168.0.4:500 but no connection has
> > been
> > > > > authorized
> > > >
> > > > That's because of the reasons above.
> > > >
> > > > Paul
> > > > --
> > > > Building and integrating Virtual Private Networks with Openswan:
> > > > http://www.amazon.com/gp/product/1904811256/104-3099591-
> > 2946327?n=283155
> > >
> >
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list